Engineering Windows 7

Welcome to our blog dedicated to the engineering of Microsoft Windows 7

UAC Feedback and Follow-Up

UAC Feedback and Follow-Up

When we started the “E7” blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren’t sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we’ve managed to do both. Our dialog is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed. That’s not the dialog we set out to have and we’re going to do our best to improve.

This post is an attempt to get both the blog right and the feature right. We don’t like where we are in terms of how folks are feeling and we don’t feel good – Windows 7 is too much fun and folks are having too much fun for us to be having the dialog we’re having. We hope this post allows us to get back to having fun!

To start we’ll just show representative comments from the spectrum of feedback. We’ll then talk about the changes we’re making and also make sure we’re all on the same page regarding how we move forward. In terms of comments we’ve heard the following:

@sroussey says:

You have 95% of the people out there think you got it wrong, even if they are the ones that got it wrong. The problem is that they are the one's that buy and recommend your product. So do you give them a false sense of increased security by implementing the change (not unlike security by obscurity) and making them happy, or do you just fortify the real security boundaries?

And @Thack says:

Jon,

Thanks for sharing your thoughts.  I understand your points.

Now, I want add my voice to the call for one very simple change:

Treat the UAC prompting level as a special case, such that ANY change to it, whether from the user or a program, generates a UAC prompt, regardless of the type of account the user has, and regardless of the current prompting level.

That is all we are asking.  No other changes.  Leave the default level as it is, and keep UAC as it is.  We're just talking about the very specific case of CHANGES to the UAC prompting level.

It will NOT be a big nuisance - most people only ever change the UAC level once (if at all).

Despite your assurances, I REALLY WANT TO KNOW if anything tries to alter the UAC prompting level. 

The fact that nobody has yet demonstrated how the putative malware can get into your machine is NO argument.  Somebody WILL get past those other boundaries eventually.

Even if you aren't convinced by my argument, then the PR argument must be a no-brainer for Microsoft.

PLEASE, Jon, it's just a small change that will gain a LOT of user confidence and a LOT of good PR.

Thack

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

@mdaria510 says:

Sometimes, inconsistency with your own ideals is a good thing. Make an exception, if only to put people's fears to rest.

That sums up where we are heading. The first change was a bug fix and we actually have a couple of others similar to that—this is a beta still, even if many of us are running it full time. The second change is due directly to the feedback we’re seeing. This “inconsistency” in the model is exactly the path we’re taking. The way we‘re going to think about this that the UAC setting is something like a password, and to change your password you need to enter your old password.

The feedback is that UAC is special, because it can be used to disable silently future warnings if that change is not elevated and so to change the UAC setting an elevation will be required.  To the points in the comments, we also don’t want to create a sense or expectation of security that is not there—you should still not download code and run it unless you trust the source. HTML, EXE, VBS, BAT, CMD and more are all code and all have the potential to alter the environment (user settings, user files) running as a standard user or an administrator. We’re focused on helping people make sure that code doesn’t get on the machine without consent and many third party tools can help more as well. We want people to be comfortable with the new UAC control and the new default setting, so we’ll make the changes outlined above as the feedback has been clear.

While we’re discussing this we want to make sure we’re all on the same page going forward in terms of how we will evaluate the security of Windows 7. Aside from the UAC setting, the discussion of the vulnerability aspects of the Windows 7 Beta  have each started with getting code on the machine, which the mechanisms of Windows have prevented in the cases shown. We have also heard of security concerns that involve multiple steps to demonstrate a potential exploit. It is important to look at the first step—if the first step is “first get code running on the machine” then nothing after that is material, whether it is changing settings or anything else.  We will treat very seriously the ability to get code on a machine and run without consent. As Jon’s post highlighted briefly, the work in Windows 7 is about the increased protections in place to secure your PC from acquiring and running code without your consent, and of course we continue to make sure Windows code is secure from both tampering or circumventing the protections in the system.

We want to reiterate the security of the system overall. Windows 7 is SD3+C and is designed to be more secure that Vista—that’s our priority. None of us want to have Windows 7 be perceived as being less secure than Vista in any way, because our design point is to make sure it is more secure that Windows Vista, by default.

We said we thought we were bound to make a mistake in the process of designing and blogging about Windows 7. We want to continue the dialog and hopefully everyone recognizes that engineering, perhaps especially engineering Windows 7, is sometimes going to be a lively discussion with a broad spectrum of viewpoints expressed. We don’t want the discussion to stop being so lively or the viewpoints to stop being expressed, but we do want the chance to learn and to be honest about what we learned and hope for the same in return. This blog has almost been like building an extra product for us, and we’re having a fantastic experience. Let’s all get back to work and to the dialog about Engineering Windows 7. And of course most importantly, we will continue to hear all points of view and share our point of view and work together to deliver a Windows 7 product that we can all feel good about.

--Jon and Steven

Leave a Comment
  • Please add 6 and 7 and type the answer here:
  • Post
  • and some other word about security in build 7000: Microsoft seems to be removing some other things, which could help especially technical users to see, that something is wrong in system. I speak about ability of displaying icons for each network card near clock (with animation, when data is transferred).

    Very useful and could notify very fast, that something is transferred, when user doesn't do anything. Such details should be returned... Without them even the best UAC will be incomplete.

  • I agree with this change, however you've still done nothing about the RunDll32.exe exploit, and yesterday I proved that there's a code-injection exploit where any unelevated process can elevate itself silently (even if RunDll32.exe is fixed).

    I also really don't buy your logic.

    If, as you seem to be saying, it doesn't matter if an exploit is only possible from code already running (unelevated) on the box, then why do we have UAC prompts for anything at all?

    If we implicitly trust all running code, and if we aren't supposed to care that all running code can elevate itself silently via the backdoor, then why don't we simply allow all running code to elevate silently via the proper route, without a UAC prompt?

    In other words ditch the new mode and make the default the setting (that was already an option in Vista) where UAC is enabled by all elevation requests from all applications are granted without a prompt.

    That's would be less secure than what we have now by default in Win 7, if you're going to leave the trivially-exploitable backdoors open, and it would mean that users don't have to be bothered by prompts from well-behaved software that doesn't exploit the backdoors.

    Either silent elevation is important or it isn't.

    - If it is important then you shoudln't be dismissing the other two exploits.

    - If it isn't important then you should be getting rid of all UAC prompts and allowing silent elevation everywhere without making prompting the user for no purpose (beyond security theatre) and without making things resort to backdoors.

    Information on the code-injection exploit that I found is here:

    http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

  • Thank you listening.

    Now one last major issue which is on the UI:

    - When a window or program is maximized boarders and superbar stays transparent. This causes a problem when a user has a changing background, bright background, or an animated one. Because it is distracting, and feels like Windows wants the user attention, but it does not. I think it would be best to either set Vista behavior or at least have an option to change the behavior from Win7 to Vista.

  • "UNIX is truly secure by design" ? Bull. It's another academic OS that did at least have multiuser capability baked in. One all-powerful account which, if hacked, gives you the keys to all kingdoms ? Come on. A truly secure system would be more like VMS with an ACL for everything; the operators can install new drivers but not add accounts, the auditors can read logs but not write them etc. etc.

    Microsoft is going in the right direction with some of the system file permissions - administrator is not omnipotent. So is Linux with SELinux etc., but we're not there yet.

  • @Leo

    Very good work.

    They already admitted it in their earlier blog by saying that UAC is not a security feature. The new UAC level is only the imitation of a security feature created for marketing purposes.

    With a little irony you could say they created it with the ingenious plan in mind to make users demand for the stronger UAC settings.

  • LinuxGuyInRI :

    There is a reason why every other operating system uses a UNIX permission structure - it's because UNIX is truly secure by design.

    Perhaps Microsoft should think about that as they redesign the security wheel for the millionth time.

    Microsoft, do what you do best for once; copy someone else's design.

    Your users' won't even notice the difference:

    http://www.zdnet.com.au/insight/software/soa/Is-it-Windows-7-or-KDE-4-/0,139023769,339294810,00.htm

    ---------------

    You should really look into how the security in the NT kernel works. Once you do that you will realize the Unix permission structure is vastly inferiour to the NT model. I would even go so far to say the opposite, in standard unix there is one root and one root only. In windows you have ACL/DACLs. That way you can specify on _each_ kernel object what should be allowed and by who and what shouldn't. This cannot be done in Unix. Unix permission scheme is simple, the only thing making unix more "secure" is that it enforced people early on _not_ to run there apps under root.

    However malware don't need to be root to gather private data from your computer, and it is as easily done on a unix box as a windows box. On a windows box you are more free to setup you environment and taylor it to minimize the damage of a possible breach.

    Either way, I encourage you to read up on it.

  • One other thing I'd like to see - the install process say "now create a standard account for day-to-day use".

    There's nothing to tell a naive home user to use the account manager.

    Using a nonprivileged account is effective against

    zero-day malware, and free.

    It is also a good defense against accidental damage by other users, such as children, and is I believe a prerequisite for parental controls to work. With all the work that Microsoft has put into the UAC and virtualization, there is no reason not to use a standard account by default.

  • @niclas

    I found myself agreeing with most of your post, except for:

    > On a windows box you are more free to setup you

    > environment and taylor it to minimize the damage

    > of a possible breach.

    With UAC on Vista and Windows 7, there are some scenarios where the OS forces you to use an admin token.  On Windows XP and Linux, the power user is able to decide whether an installer or an executable should have root/admin access to the system.

    Regards,

    Patrick

  • I am really inspired by this w7 engineering blog.

    I am a mobility developer on major mobile platforms and a strong advocate of many Microsoft technologies and in the last year or two I have had strong opinions on the strategies of the company.

    I'm not trying to toot my own horn here but this blog has really inspired me and makes me think the day "you are listening" has finally come.

    I'm going to try to take part more in commenting on w7 engineering articles, as well as posting my overall thoughts on strategies going forward.

    I really want to see what I call Microsoft 2.0 emerge in a time that it is being attacked and challenged on all fronts.

    The answer to me is very clear, the challenge however is very tough and I want to make my ideas, opinions and thoughts public.

    Thanks for inspiring me in this blog seeing your dedication to opening channels to the community.

    I also would love to see a ui/usability blog for w7 because as much as people are talking about the new taskbar, I am dissapointed in the lack of innovation in the last 10 years in UI for Windows.

    We are in a touch screen generation, with multiple monitors and UMPC/MID's and windows UI does not scale / adapt well let alone expose much flexibility.

    w7 engineering seems to be nailing down performance.

    However even with the latest technologies, why is it an iPhone can finger scroll a web page better than w7 & IE8 on a quad core desktop machine?

    I sometimes feel there is some lack of vision of where Windows usage is going in the future.

    For myself mobility is the next big boom, although I am bias of course since I work in the industry but Windows does not set itself up as an innovator here.

    Recently Microsoft has been a reactor to trends, not a maker of trends.

    I really want to see this change. Many things are clear to me what needs to be done.

    Sorry for the lengthy text. Strategy is a passion for me and I don't want to see a repeat of the last 8 years.

    For example, everything I see shows Windows based MID, UMPC, Desktop, Notebook, multi touch devices having the same basic desktop.

    The iPhone is a perfect example that usability and UI has to be tailored to its use.

    Simply slapping a taskbar and desktop with a start menu on a MID is not going to be acceptable.

    The OS itself is solid. It's time for a change in how users use Windows.

    I hope to comment on the under the hood engineering on this blog and write my various thoughts at my blog since I don't know where else to drum up ideas, comments and feedback that maybe some day can be visible:

    http://strategyblog.nureality.ca

  • Um, Guys, we have a SERIOUS problem with windows 7 - can we focus on the BLUESCREEN issue with tdx.sys?  A lot of us are running windows 7 without antivirus!!! HELP??!!!

  • http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

    Microsoft, please read that site. You need to come up with a fix for this in order to call UAC secure. Unelevated processes are still capable of doing anything.

  • A perspective offered first as a suggestion to improve had then to take on the role of being a dogmatic approach to make engineering understand that the true intentions of releasing a product that harbors an ecosystem as vast and immaculate as Windows is not always to dictate a technical accuracy. It is in essence a die hard effort at preserving the good will and pristine faith that close to 90% of the tech savvy world vests in to Microsoft. I am privileged both as a technologist and as a consumer to have patronized Microsoft for over a decade now.

  • Why don't you simply solve this misunderstanding with UAC's newbies improving communication?

    IMHO, a rolling video that explains in deep UAC and its settings would solve the problem, using a 2 level terminoglogy: one for expert users talking about admin rights etc., and one for newbies (so both will be pleased).

    Would be so simple...

  • PS

    This video obviously should be played during Win7 installation..

  • > w7 engineering seems to be nailing

    > down performance.

    > However even with the latest technologies,

    > why is it an iPhone can finger scroll

    > a web page better than w7 & IE8 on

    > a quad core desktop machine?

    > I sometimes feel there is some lack

    > of vision of where Windows usage

    > is going in the future.

    Once again: Microsoft has got product, which is old, but quite good estimated (XP). Development on it is stopped and we have Vista (Windows 6.x). It's very often criticized. Microsoft decides to continue Vista instead of moving good Vista things into older better code (XP). Seven is improved in many things, but still worse than XP (yes, in opinion from many people it's worse and numbers confirm it). Why ?

    I was thinking and probably found one of answers: it's part of MS strategy. See http://www.pcpro.co.uk/news/245859/qa-microsoft-defends-return-to-drm.html MS opened new shop with music, where prices are higher than in concurrent shops and where there is used DRM (concurrent shops don't have it).

    Other possibility: in Windows 3.11 era, Windows 98 SE era there were managers, who were able to force architecture changes (from 3.11 to 9x, from 9x to XP based on NT). Currently managers are afraid of any change. Shared Registry or other so criticized things ? It will be, because we want to... It isn't possible to continue strategy, which was good 10 years ago. Market is different, people are more educated,...

Page 5 of 14 (198 items) «34567»